Belt Finance Flash Loan attack, Belt BUSD strategy attacked
Hi there students,
Today another major flash loan attack took place, this time on BELT Finance. Belt Finance is one of the popular “vault strategy” platforms, where you can deposit your crypto capital in one of the many vaults, which they invest for you in various strategies to optimize the yield. It was by many considered as a safe platform, which is the reason this attack took its users by surprise. Let’s take a run down of what is Belt Finance and what the attacker did to exploit their contracts.
- What is Belt Finance?
Belt.fi is a stableswap AMM protocol that incorporates multi-strategy yield optimizing on Binance Smart Chain (BSC) and HECO Chain with low fees/slippage that also provides aggregation through vault compounding, lending and yield generation for maximum return. By utilizing multiple strategies simultaneously, Belt.fi minimizes dependence on any one protocol while generating users the best possible yield rates in DeFi. This also protects users from low-liquidity withdrawal issues.
Users do not actively need to move their assets around between protocols to find the best yield, as Belt Finance vaults do it for them. — From the BELT Finance official website.
We will see in the following analysis that the issue with the attack was the vault strategy of Belt Finance. Belt Finance has a token named beltBUSD, that integrates 6 strategies:
The beltBUSD price is an aggregate of all these strategies. We will see that the attacker has used in particular Venus and Ellipsis to manipulate the BUSD-USDT price and exploit the smart contract.
2. The attack step-by step
The attacker used 8 similar transactions. The first transaction (that you can see here)had an additional step (step 2), whereas the rest of the 7 transactions were identical.
Step 1:Flash loans
The attacker used PancakeSwap to take out 8 flash loans for a total of $385m.
Step 2: Belt Ellipsis BUSD strategy deposit
The attacker deposited 10m BUSD into the Ellipsis strategy. This step only happened during the 1st of transaction, to allow for BUSD and USDT peg manipulation in step 4.
Step 3: Belt Venus BUSD strategy deposit
The attacker deposited 187m BUSD into the Venus BUSD strategy. This allowed him to get 184m beltUSD.
Step 4: BUSD-USDT swap on Ellipsis
The attacker used Ellipsis to swap 187m BUSD into 170m USDT. This allowed a manipulation of the BUSD-USDT peg on Ellipsis. The issue was that the attacker got beltUSD for his deposit of BUSD into the Venus strategy. The attacker used the fact that the Belt BUSD smart contract (you can see it here) uses the balance of all BUSD held in all strategies of Belt.
function eps3ToWant() public view returns (uint256) {
uint256 busdBal = IERC20(busdAddress).balanceOf(ellipsisSwapAddress);
uint256 usdcBal = IERC20(usdcAddress).balanceOf(ellipsisSwapAddress);
uint256 usdtBal = IERC20(usdtAddress).balanceOf(ellipsisSwapAddress);
(uint256 curEps3Bal, )= LpTokenStaker(ellipsisStakeAddress).userInfo(poolId, address(this));
uint256 totEps3Bal = IERC20(eps3Address).totalSupply();
return busdBal.mul(curEps3Bal).div(totEps3Bal)
.add(
usdcBal.mul(curEps3Bal).div(totEps3Bal)
)
.add(
usdtBal.mul(curEps3Bal).div(totEps3Bal)
);
}
So by manipulating the BUSD-USDT peg on Ellipsis, they indirectly impacted the beltUSD price they were holding through the Venus strategy. Which leads to step 5:
Step 5: Withdrawal of the Venus Strategy
The attacker withdrew 198m BUSD (from 187m originally) from the Venus strategy.
Step 6: Swap back the USDT to BUSD
The attacker swapped back his 170m USDT obtained in step 3 to 189m BUSD through Ellipsis. They lost 1m BUSD in this transaction.
Step 7: redeposit BUSD to Venus Strategy
The attacker deposited back the 197m BUSD (they “lost” 1m BUSD for the back and forth BUSD-USDT swap) they gained into the Venus strategy, in order to repeat step 3 through 6, 7 times over.
Step 8: Repay the flash loans
After 7 loops, the attacker cashed out the profits and repaid the flash loans.
Step 9: repeat again!
And furthermore, the attacker did 8 identical transactions (each transactions including the 7 times loop)
The gains are not always the same amounts, and they had some costs in between transactions, but we can estimated they made at least $5–10 mUSD. I will update you guys once we get a clear update from Belt Finance.
3. BSC under attack every day, what can we do?
Flash loans are being used for most of the daily attacks we are seeing. There are so many attacks that I still have the Burgerswap attack in draft mode because Belt happened before I could finish writing about Burger…
If you are interested in my thought about how platform can protect themselves against such attacks, please have a look at my following article:
Thanks for your attention students, stay safe and I hope my next article will not be about another major attack…
